Systems and methods for controlling email access

ABSTRACT

Examples described herein include systems and methods for controlling access to a server, such as an email server or a gateway, in situations where the identity of the requesting device is unknown or where the user device accesses the server using an unknown or unmanaged application. In one example, the system can utilize a user authentication credential included in the request to identify other devices belonging to the user that happen to be enrolled with the system. An out-of-band message can be sent to those enrolled devices, requesting confirmation from the user and, in conjunction with an authentication token, allowing the system to trust the previously unknown device. In the example of an unmanaged application attempting to access an email server, the system can confirm compliance of the requesting device and issue an authentication token that, along with an appropriate command sent to the email server, provides access.

This application claims priority as a continuation of U.S. patentapplication Ser. No. 15/664,729, filed Jul. 31, 2017, which is expresslyincorporated herein in its entirety.

BACKGROUND

Data security remains a high priority for any business or enterprisethat transmits personal or confidential information remotely, such asover the internet. A critical portion of data security isauthentication. User-authentication procedures can range from a simpleusername and password to a fully managed device that is enrolled in asystem—such as an Enterprise Mobility Management (“EMM”) or MobileDevice Management (“MDM”) system—and uses preinstalled files or softwareto authenticate the device with the system.

EMM systems offer increased security by obtaining information about thetype of device being connected to the network and then installingsoftware on the device that monitors and manages connections to secureresources. EMM systems can install a profile that allows the device tobe identified to a back-end server upon making a request so that theserver can identify the device. Some users, however, may want to use anapplication that does not allow use of a profile. For example, usersmight use third-party mail clients that lack the ability to integratewith device profiles provided by an EMM system.

Authentication with a third-party mail client therefore can use a simpleusername and password to access a mail server. However, access requestsfrom these third-party mail clients can come from unenrolled devicesthat are not known to the system. As a result, the enterprise or mailsystems are unable to identify the device to determine if the deviceshould be denied access, and simply deny access to a device having anidentifier that is not previously known to the system. Users, however,would like to use third-party mail clients or unenrolled devices withoutbeing denied access. At the same time, administrators would like moresecurity than simply granting access to any device that provides arequest with the proper user name and password. For example, it would bedesirable to deny e-mail access to a device that is jailbroken orotherwise compromised, even if the user has the correct username andpassword.

As a result, a need exists for improved methods of providing access to aserver, including providing application-specific access, whilemaintaining a high level of security.

SUMMARY

Examples described herein include systems and methods for controllingaccess to a server, such as an email server or a gateway. In oneexample, the server is a gateway having privileged access to an emailserver. An example method can provide application-specific access to aserver, even when a user accesses the server with an unmanaged emailapplication on a user device. The example method can include receiving arequest for access to the server from the user device, where the requestincludes a user authentication credential associated with a user and adevice identifier associated with both the user device and anapplication being used to request access. The device identifier can be auser agent string or a portion of a user agent string.

The method can also include, in response to the request, sending anout-of-band message to the user. For example, the out-of-band messagecan be SMS, MMS, email, phone call, WORKSPACE ONE message, or a VMWAREVERIFY message. The out-of-band message can request confirmation fromthe user regarding the request for access from the user device. Forexample, a message can ask “did you just login?” Confirmation can bereceived from the user in response to the out-of-band message. Themethod can then include sending an authentication token to the userdevice. The authentication token can be specific to the user device, theuser, and the application being used to request access. A database canbe updated with information regarding the authentication token and theassociated user device, user, and application. The method can furtherinclude providing access to the server based on receiving the userauthentication credential, device identifier, and authentication tokenfrom the user device.

In one example, the method can also include sending a request forverification from the server to an identity management server, based oninformation associated with the request for access. The identitymanagement server can send a check to the management server. Inresponse, the management server can attempt to identify the user basedon the information associated with the request for access. For example,an email identifier, user identifier, or password can identify the user.The management server can determine whether the user is associated withany enrolled devices. If so, the management server can then send anauthentication token to the enrolled device or to the device currentlybeing used by the user. After the user authenticates then token, themanagement server can send a message to the server (such as an emailserver or secure email gateway (“SEG”)), instructing the server toprovide access to the user device by, for example, placing the device onan approved list. Providing access to the server can therefore also bebased on receiving an instruction from the management server.

Another example method is provided for providing access to an emailserver using a third-party email application on a user device. Theexample method can include receiving, at an identity management server,a communication from the email server. The communication can includeinformation regarding a request for access to the email server from auser device. The method can further include sending, from the identitymanagement server to a management server at which the user device isenrolled, a request for authorization to access the email server. Themanagement server can identify the user based on the informationregarding the request for access. With the user identified, themanagement server can determine whether the user is associated with anyenrolled device. If no enrolled devices are found, the management servercan instruct the identity management server to deny the request. If anenrolled device is found, the management server can cause anauthentication token to be sent to the enrolled device, or devices. Theuser can authenticate the token to indicate that the original requestfor access originated with the user. The management server can thendetermine that the user device is authorized to access the email serverusing the third-party application. In response to determining that theuser device is authorized to access the email server, the managementserver can send an instruction to the email server to provide the userdevice with access to the email server.

In one example, the identity management server can be identified by theemail server based on the email address associated with the user device.For example, the email server can parse the email address of the userdevice and compare the domain of the email address (e.g., “@vmware.com”)with entries on a lookup table that identity corresponding identitymanagement services.

In an example, the information regarding the request for authorizationto access the email server can include an identification of theapplication used to request access to the email server. Determiningwhether the user device is authorized can include determining, at themanagement server, whether the identified application is approved toaccess the email server. In some examples, determining whether the userdevice is authorized to access the email server can include sending anout-of-band message to the user, requesting confirmation from the userregarding the request for access from the user device, and receivingconfirmation from the user in response to the message.

Determining whether the user device is authorized to access the emailserver can also include sending an authentication token to the userdevice. In that example, sending an instruction to the email server toprovide the user device with access can include sending an instructionto the email server to request the authentication token from the userdevice, where access is contingent upon the authentication token beingreceived at the email server

The example methods summarized above can be incorporated into anon-transitory, computer-readable medium having instructions that, whenexecuted by a processor associated with a computing device, cause theprocessor to perform stages for providing access to a server asdescribed. Additionally, the example methods summarized above can beimplemented in a system including, for example, an email server, agateway, a management server, an identity management server, and a userdevice, or any combination thereof.

Both the foregoing general description and the following detaileddescription are exemplary and explanatory only and are not restrictiveof the examples, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an exemplary illustration of system components for controllingaccess to a server.

FIG. 2 is a flowchart of an exemplary method for controlling access to aserver.

FIG. 3 is a flowchart of an exemplary method for controlling access to aserver.

FIG. 4 is an exemplary illustration of system components for controllingaccess to a server.

FIG. 5 is a flowchart of an exemplary method for controlling access to aserver.

FIG. 6 is a flowchart of an exemplary method for controlling access to aserver.

DESCRIPTION OF THE EXAMPLES

Reference will now be made in detail to the present examples, includingexamples illustrated in the accompanying drawings. Wherever possible,the same reference numbers will be used throughout the drawings to referto the same or like parts.

In a first example, systems and methods are provided for implementing amulti-factor authentication procedure for providing access to a server.The multi-factor authentication procedure can be useful in situationswhere an unknown user device is attempting to access the server for thefirst time. It can also be useful where a user device is not enrolledwith an EMM or MDM system, but is attempting to access data on anenterprise server. FIG. 1 provides an illustration of this system, whileFIGS. 2 and 3 provide flowcharts of example methods relating to thissystem.

In a second example, systems and methods are provided for enforcing EMMor MDM constraints on access to a server, even where the server is athird-party server or a user device attempts to access the server usingan unmanaged application on the user device. The server can beconfigured to forward access requests to an identity management service,which in turn can be configured to route access requests to a managementserver. The management server can identify enrolled devices of the userand authenticate the request by, for example, having the userauthenticate a token. The management server can then instruct the serverto provide or deny access to the user device. FIG. 4 provides anillustration of this system, while FIGS. 5 and 6 provide flowcharts ofexample methods relating to this system.

FIG. 1 provides an illustration of an example system for controllingaccess to a server 140. The server 140 can be an email server thatstores and provides access to emails associated with a user 120. Theserver 140 can be multiple servers, processors, and computing devices,some of which can be located remotely from one another. The server 140can be located behind an enterprise firewall, preventing unauthorizedaccess.

A gateway 130 can control access to the server 140. In examples wherethe server 140 is an email server, the gateway 130 can be a SEG thatreceives and routs electronic messages to and from the server 140. Thegateway 130 can have privileged access to the server 140, with fullpermission to save, delete, or otherwise alter electronic files orfolders stored on the server 140. For example, the gateway 130 canutilize Kerberos Constrained Delegation (“KCD”) to securely access theserver 140. The gateway 130 can provide security to the server 140 andoverall enterprise network by only allowing email access to devices thatmeet compliance guidelines set at a management server. The gateway 130can process a device identifier and a profile, included in the request,to determine whether the request should be allowed access to the server140. In some examples, and as explained in more detail below, thegateway 130 can process a request that does not include a known deviceidentifier or an acceptable profile.

In some examples, the gateway 130 is separate from the server 140, suchas being located on a different server, processor, or computing device.The gateway 130 can also be a different virtualized instance on the sameserver hardware as the server 140. In other examples, the functionalityof the gateway 130 can be incorporated into the server 140functionality, such that the two are indistinguishable from one another.The present disclosure is intended to encompass all of these potentialscenarios.

A user 120 can access the gateway 130 through a user device 110. Theuser device 110 can be any computing device, such as a smartphone,laptop, tablet, personal computer, or workstation. A user device 110 caninclude a non-transitory, computer-readable medium containinginstructions that are executed by a processor. Example non-transitory,computer-readable mediums include RAM and ROM, disks, and other memoryand storage that is accessible by a USB port, a floppy drive, CD-ROM orDVD-ROM drive, and a flash drive, among others.

The user 120 can be associated with a plurality of enrolled user devices122. For example, the enrolled user devices 122 can be enrolled at theserver 140 or at a management server associated with an EMM system towhich the server 140 is also associated, as discussed in more detailbelow.

A user 120 can request access to the server 140 or gateway 130 byinitiating a request on the user device 110. For example, the userdevice 110 can execute one or more email applications. Theseapplications can be standard email applications installed as part of anoperating system, such as APPLE's iOS Mail application or MICROSOFTOUTLOOK. The applications can also be aftermarket email solutions, suchas VMWARE's BOXER. The email applications can be managed by a managementserver that enrolls the user device 110. In other examples, the emailapplications can be unmanaged applications. Although email applicationsare discussed as examples herein, other types of applications can beused as well.

When a user 120 utilizes the user device 110 in a manner that generatesa request to the server 140, such as by attempting to download newemails from the server 140, the request for access is sent from the userdevice 110 to the gateway 130. The request can include a userauthentication credential associated with the user 120. Examples of userauthentication credentials include a username and password, token, orcertificate associated with the user 120.

The request for access can also include a device identifier associatedwith the user device 110, an application on the user device 110 beingused to request access, or both. The device identifier can be, forexample, an EXCHANGE ACTIVESYNC Device ID that is associated with theuser device 110. The device identifier can also include informationidentifying, or at least implicating, the specific application beingused to request access to the server 140 from the user device 110. Therequest can also include an application identifier, separate from, orincluded in, the device identifier, that identifies the applicationbeing used to request access to the server 140. The device identifierand application identifier can be included in a user agent string insome examples. The user agent string can identify an operating systemtype and provide some information about the client applicationrequesting access.

Upon receiving the request for access from the user device 110, thegateway 130 can check whether the device identifier associated with theuser device 110 is on a list of approved device identifiers. Forexample, the gateway 130 can access a lookup table stored in memory. Thegateway 130 can also access stored files in a repository 160 to make thedetermination. The repository 160 can be a standalone memory store orserver, or can be associated with the gateway 130 or the server 140,such as by being a directory or folder within a memory store of thegateway 130 or server 140. If the device identifier is on a list ofapproved devices, the gateway 130 can allow access to the server 140,passing the request through to the server 140 and transmittinginformation from the server 140 back to the user device 110.

If, however, the device identifier is not on the list of approveddevices, the gateway 130 can take additional actions to authenticate theuser device 110. For example, using the authentication credentialassociated with the user 120, the gateway 130 can identify the userpurporting to make the request from the user device 110. For example,the gateway 130 can perform a lookup by accessing a management server,repository 160, or other storage location that includes informationabout the user 120. This information can include, for example, a userprofile associated with the user 120 and a listing of enrolled devices122 associated with the user 120, if any. Accordingly, using theinformation about the user in the authentication credential, the gateway130 can cause a confirmation message to be sent to one of more of theuser's 120 enrolled devices 122.

The confirmation message can be generated at the gateway 130 in oneexample. In another example, the gateway 130 can instruct an out-of-bandcommunication module 150 to generate the message. The out-of-bandcommunication module 150 can be a device separate from the gateway 130,such as a standalone computing device or server, or it can be a hardwareor software module within the gateway 130 or server 140. The out-of-bandcommunication module 150 can be a component within an EMM system, suchas a management server or a device or server controlled by themanagement server.

The confirmation message sent by the out-of-band communication module150 can take any form, including, for example, SMS, MMS, email, phonecall, WORKSPACE ONE message, or VMWARE VERIFY message. The confirmationmessage can be sent from the out-of-band communication module 150 to theuser 120, at a device 122 other than the user device 110 being used torequest access.

The confirmation message sent by the out-of-band communication module150 can be a notification to the user 120 or a request for confirmationby the user 120. For example, an SMS can be sent that informs the user“We received a request for access to your secure email files from adevice using MICROSOFT OUTLOOK. If this request was not made on yourbehalf, please reset your password or contact us at security@vmware.comfor assistance.” In another example, the message can include an optionfor the user 120 to respond. For example, the user 120 can be instructedto “respond to this SMS with the word ‘YES’ if you made this request.”Similarly, the user 120 can be instructed to respond only if the attemptwas unauthorized: “respond to this SMS with the word ‘NO’ if you did notmake this request.” In yet another example, the message can include acode, such as a four-digit number, to be input at the user device 110.

Confirmation from the user 120 that they initiated the request foraccess from the user device 110 can come in the form of a response (suchas texting “YES”), a lack of response, or entering a code at a userdevice 110, 122. The confirmation can be received at the out-of-bandcommunication module 150, the gateway 130, or the server 140. When theconfirmation is received, an authentication token can be sent to theuser device 110.

The authentication token can be tied to the user device 110, the user120, the application being used to request access to the server 140, orany combination thereof. For example, the authentication token canidentify a device identifier associated with the user device 110 and theapplication. It can also identify a user 120 by, for example,identifying a profile saved at the gateway 130, repository 160,management server, or elsewhere. The authentication token can beprovided to the user device 110 through any suitable mechanism, such asfrom an authentication server, the gateway 130, the out-of-bandcommunication module 150, or through a service such as WORKSPACE ONE.

After the authentication token has been issued, the list of approveddevice identifiers can be updated. For example, the device identifierassociated with the user device 110 can be updated to reflect that theuser device 110 associated with the device identifier is also associatedwith the authentication token. In some examples, the device identifiercan be added to the approved list regardless of whether the associatedauthentication token is present. In other examples, the deviceidentifier can be conditionally approved provided the authenticationtoken is provided as well.

Because the authentication token can include information about theapplication used to request access to the server 140, it can be used toprovide conditional approval if the same application is used to requestaccess in the future. For example, a whitelist of approved applicationscan be stored at the server 140, gateway 130, or repository 160. Thegateway 130 can compare the application used to make a request foraccess to the server 140 to the whitelist of approved applications. Ifthe application is on the whitelist, the gateway 130 can consider thatapplication to be approved for access. The whitelist can be updated asnew applications are approved or disapproved for any reason. If the user120 attempts to request access using an application not on thewhitelist, the request would not be immediately approved even if theoriginal authentication token was provided. Instead, the authenticationprocess can be repeated and an updated authentication token can beprovided to the user 120, authenticating the new application.

Similarly, a blacklist of unapproved applications can be stored at theserver 140, gateway 130, or repository 160. The blacklist can include alist of applications that are not allowed access to the server 140. Ifthe user 120 attempts to request access using a blacklisted application,the request would be denied.

Even after providing an authentication token to the user device 110, thedevice's 110 authorization to access the server 140 can be revoked atany time. This can be necessary when, for example, a user 120 canunenroll the user device 110, an EMM system administrator can unenrollthe device 110, or the device 110 can otherwise fall out of compliancewith relevant enterprise compliance rules. When authorization needs tobe revoked, the system can revoke the authentication token in oneexample. For example, a lookup table associated with the authenticationtoken can be updated to reflect that the particular authentication tokenis no longer accepted. In another example, a lookup table associatedwith the device identifier can be updated to reflect that the particulardevice identifier associated with the device 110 is not allowed access.In this example, the gateway 130 will deny access because thedevice-identifier lookup will fail. The EMM system can therefore beconfigured to revoke access only to the unauthorized device whileoptionally continuing to provide access to the user's 120 other,enrolled devices 122. In yet another example, an application identifiercan be placed on a blacklist such that requests from the applicationassociated with that application identifier are blocked or denied.

FIG. 2 provides a flowchart of an example method for controlling accessto a server 140. At stage 310 of the method, a request for access to theserver 140 is sent from the user device 110 to the gateway 130. Forexample, the server 140 can be an email server and the gateway 130 canbe a SEG. In that example, the request for access can include opening anemail application on the user device 110 which, upon opening, checkswith the server 140 for any new email messages.

The request for access to the server 140 can include a device identifierassociated with the user device 110, an application on the user device110 being used to request access, or both. The request can also includean application identifier that identifies the application being used torequest access to the server 140. In some examples, the applicationidentifier can be included in the device identifier. For example, thedevice identifier—and in some examples, the application identifieralso—can be included in a user agent string provided with the request.In another example, the device identifier can include an indication ofthe application being used to request access.

At stage 315, the gateway 130 or out-of-band communication module 150can identify the user 120 based on information included in the request.For example, the gateway 130 or out-of-band communication module 150 canperform a lookup by accessing a management server, repository 160, orother managed storage location that includes information about the user120. This information can include, for example, a user profileassociated with the user 120 and a listing of enrolled devices 122associated with the user 120, if any. The out-of-band communicationmodule 150 can then send a notification, such as an SMS, MMS, email,WORKSPACE ONE, or any other type of message, to the user 120 at one ormore of the user's 120 enrolled devices 122.

At stage 317, the gateway 130 or out-of-band communication module 150can perform an application check. The application check can includeusing the application identifier included with the request for accessand comparing it to application identifiers included on a whitelist ofapproved application identifiers. An administrator can configure thewhitelist to include or exclude certain applications, such as unsecureor harmful email applications. If the application identifier is on thewhitelist, stage 320 can be carried out.

If the application identifier is on a blacklist of applicationidentifiers to which access is to be denied, the gateway 130 can denyaccess. If the application identifier is unknown—i.e., not present oneither of the relevant whitelists or blacklists—the request can bepassed to an identity management system to identify the user 120 asdiscussed with respect to FIGS. 4-6. After identifying the user 120,stage 320 can be carried out.

At stage 320, the out-of-band communication module 150 sends anotification to the user 120 regarding the request made at stage 310.The out-of-band communication module 150 can be a component within anEMM system, such as a management server or a device or server controlledby the management server. The out-of-band communication module 150 canact in accordance with instructions from the gateway 130. For example,the gateway 130 can use information included in the request to determinewhether the user device 110 is on a list of approved devices. If not,the gateway 130 can instruct the out-of-band communication module 150 tosend a notification to the user 120.

If the notification sent at stage 320 requests confirmation from theuser 120 that the request at stage 310 was properly initiated by theuser 120, then at stage 330 the user 120 can confirm the request.Confirmation can include, for example, responding to an SMS, MMS, email,or WORKSPACE ONE message with a confirmation message, such as “Yes.” Insome examples, the lack of a response can be interpreted as aconfirmation at stage 330.

Upon receiving confirmation from the user 120, the out-of-bandcommunication module 150 can send an authentication token to the userdevice 110 at stage 340. The authentication token can be tied to theuser device 110, the user 120, the application being used to requestaccess to the server 140, or any combination thereof. For example, theauthentication token can identify a device identifier associated withthe user device 110 and the application. It can also identify a user 120by, for example, identifying a profile saved at the gateway 130,repository 160, management server, or elsewhere. The authenticationtoken can be provided to the user device 110 through any suitablemechanism, such as from an authentication server, the gateway 130, theout-of-band communication module 150, or through a service such asWORKSPACE ONE.

At stage 350, the out-of-band communication module 150 can updaterecords in the system to reflect that an authentication token wasprovided to the user device 110. For example, the out-of-bandcommunication module 150 can send information to the gateway 130, asshown in FIG. 2, or to the server 140 or a repository 160. Theinformation can be used to update a list of approved device identifiersand store information regarding the association between the issuedauthentication token and the user device 110, user 120, and applicationused to access the gateway 130.

At stage 360, the user device 110 can provide an updated request foraccess to the gateway 130. In some examples, the gateway 130 requests anupdated request that includes the authentication token issued at stage340. Upon receiving the updated request and authentication token, thegateway 130 can compare the authentication token and other associatedinformation with the updated information stored at the gateway 130,server 140, repository 160, or elsewhere. In other examples, the gateway130 provides access at stage 370 without requiring an updated requestfor access from the user device 110.

Once the gateway 130 confirms that the user device 110 is authorized toaccess the server, the gateway 130 can provide access at stage 370. Theuser device 110 can then access the server at 380, such as by relayingrequests through the gateway 130 to the server 140. The server 140 cansimilarly route electronic information through the gateway 130 back tothe user device 110.

The device's 110 authorization to access the server 140 can be revokedat any time. When an administrator or EMM system determinesauthorization needs to be revoked, the system can revoke theauthentication token. For example, a lookup table associated with theauthentication token can be updated to reflect that the particularauthentication token is no longer accepted. In another example, a lookuptable associated with the device identifier can be updated to reflectthat the particular device identifier associated with the device 110 isnot allowed access. In this example, the gateway 130 will deny accessbecause the device-identifier lookup will fail. The EMM system cantherefore be configured to revoke access only to the unauthorized devicewhile optionally continuing to provide access to the user's 120 other,enrolled devices 122. In yet another example, an application identifiercan be placed on a blacklist such that requests from the applicationassociated with that application identifier are blocked or denied.

FIG. 3 provides a flowchart of an example method for controlling accessto a server. Stage 510 of the method includes receiving a request foraccess to a mail server 140 from a user device 110, where the requestincludes a user authentication credential. The user authenticationcredential can be a username and password combination associated withthe user, for example. In addition to the user authenticationcredential, the request can include a device identifier that isassociated with the user device 110, an application on the user device110, or both. In some examples, the request includes an applicationidentifier, separate from the device identifier, that identifies theapplication being used to request access. In one example, the deviceidentifier or application identifier, or both, can be included in a useragent string submitted as part of the request for access.

At stage 515, the gateway 130 or out-of-band communication module 150can identify the user 120 based on information included in the request.For example, the gateway 130 or out-of-band communication module 150 canperform a lookup by accessing a management server, repository 160, orother managed storage location that includes information about the user120. This information can include, for example, a user profileassociated with the user 120 and a listing of enrolled devices 122associated with the user 120, if any. The out-of-band communicationmodule 150 can then send a notification, such as an SMS, MMS, email,WORKSPACE ONE, or any other type of message, to the user 120 at one ormore of the user's 120 enrolled devices 122.

Stage 520 of the method can include sending an out-of-band message tothe user 120, requesting confirmation from the user 120 regarding therequest for access from the user 120. The out-of-band message can besent to a device 122 of the user, such as a phone or laptop computerdifferent than the user device 110 requesting access. The message cantake any form, such as an SMS, email, or other electronic communicationmethod. The message can also be a phone call to which the user canrespond by pressing buttons on a touchpad of their phone or byresponding verbally.

Stage 530 of the method can include receiving confirmation from the user120 in response to the out-of-band message. The confirmation can beprovided in any format, including a format similar to that used for theout-of-band message itself. For example, if the out-of-band message isan SMS message, the user 120 can respond via SMS by, for example, typing“YES.” Similarly, the user 120 can respond to an out-of-band emailmessage by using a reply email. In some examples, confirmation caninclude a lack of response from the user 120 within a certain timeframe.

Stage 540 can include sending an authentication token to the user device110. The authentication token can be tied to the user device 110, theuser 120, the application being used to request access to the server140, or any combination thereof. For example, the authentication tokencan identify a device identifier associated with the user device 110 andthe application. It can also identify a user 120 by, for example,identifying a profile saved at the gateway 130, repository 160,management server, or elsewhere. The authentication token can beprovided to the user device 110 through any suitable mechanism, such asfrom an authentication server, the gateway 130, the out-of-bandcommunication module 150, or through a service such as WORKSPACE ONE.

Stage 550 can include updating a database with information regarding theauthentication token and the associated user device 110, user 120, andapplication used to request access at stage 510. For example, the deviceidentifier associated with the user device 110 can be updated to reflectthat the user device 110 associated with the device identifier is alsoassociated with the authentication token. The database can be accessedin response to future requests to confirm that the user device 110 hasproper access to the requested server or other resource.

Stage 560 can include providing access to the mail server 140 based onreceiving the user authentication credential, device identifier, andauthentication token. As explained earlier, the user authenticationcredential can include the device identifier. The authentication tokenprovided to the user device 110 at stage 540 can be provided by the userdevice 110 in an updated or supplemental request for access. In someexamples, access can be provided to the mail server 140 based on theauthentication token alone, without the user authentication credentialor device identifier.

The descriptions above with respect to FIGS. 1-3 generally relate toexamples where an unknown (or unenrolled) device requests access to agateway or server. The examples described below, with respect to FIGS.4-6, generally relate to situations where a device, known to the EMMsystem, requests access to a gateway or server using a third-partyapplication for which EMM support is not adequately provided. Forexample, some third-party email applications do not includefunctionality for including a profile (for example, a profile pushed tothe requesting device from the EMM system) with the request for accessto the email server.

In some examples, and as shown in FIG. 4, a user device 110 can beenrolled with a management server 220. The management server 220 can beused to control access to a cloud service 230, such as a cloud-basedemail service. Example cloud-based email services include GOOGLE APPSFOR WORK, MICROSOFT OFFICE 365 (OUTLOOK), and AMAZON WEB SERVICES.

The user device 110 can enroll with the management server 220 forexample, as part of an overall EMM or MDM system. The EMM system caninclude multiple servers, processors, and computing devices. In someexamples, the management server 220 is a network of servers, some ofwhich can be located remotely from one another. In another example, themanagement server 220 is a single server with multiple purposes. In yetanother example, the management server 220 can be one or more serversdedicated to the operations described herein. The management server 220includes various components for enrollment and compliance monitoring andenforcement, which will be discussed later in this disclosure.

As part of the enrollment process, the management server 220 can cause amanagement agent 132 to be installed on the user device 110. Themanagement agent 132 can be a portion of an operating system for thedevice 110, or it can operate in the application layer of the devices110. For example, the management agent 132 can be a dedicatedapplication or other software that can monitor and manage data, softwarecomponents, and hardware components associated with the user device 110.The management agent 132 can monitor and control functionality and othermanaged applications 134 on the user device 110. The management agent132 installed on the user device 110 can include functionality forutilizing components specific to the user device 110, such as a GPSsensor, accelerometer, or gyroscope.

The management agent 132 can be an application, or portion of anapplication, that provides functionality beyond simply monitoring andmanaging resources in the user device 110. In one example, a developercan use a SDK to insert, for example, security libraries into a managedapplication 134 that can communicate with the management agent 132. Inanother example, a developer can incorporate libraries and othercomponents through a process of “wrapping.” To wrap an application, adeveloper can decompile the application, insert the libraries or othercomponents, and then recompile the application. When a library isincorporated into an application, the functionality provided by thelibrary can be called by the management agent 132 executing in the userdevice 110. For example, if a security library provides the ability tomonitor and enable or disable functionality provided by a managedapplication 134, the management agent 132 can call functions provided bythe library to monitor and enable or disable the functionality.

As mentioned above, the management server 220 can include components forenrolling the user device 110 and confirming compliance. With respect toenrollment, the management server 220 can include an enrollmentcomponent 221 and an administrator component 222, either or both ofwhich can be used for the process of enrolling a user device 110. Forexample, the use device 110 can communicate with the enrollmentcomponent 221 during the initial stages of enrollment. In some examples,the enrollment component 221 can provide a token to the user device 110indicating that the device 110 has been authenticated and is permittedto communicate and enroll with the management server 220. The managementserver 220 or enrollment component 221 can provide the user device 110with information regarding how to access and communicate with theadministrator component 222 in order to continue the enrollment process.

In some examples, the administrator component 222 can request a tokenfrom the user device 110, indicating that the user device 110 has beenauthenticated and is permitted to continue the enrollment process withthe administrator component 222. Upon receiving the token, theadministrator component 222 can continue the enrollment process. Theadministrator component 222 can also provide a console for anadministrator to configure and monitor the status of the user device 110and the enrollment process. In some examples, the administratorcomponent 222 can be dedicated to a particular enterprise or group ofenterprises, while the enrollment component 221 can be shared acrossmultiple different enterprises.

In addition to the enrollment component 221 and administrator component222 described above, the management server 220 can include one or moreorganizational groups 223. An organizational group 223 can include datarepresenting a group of devices 110 managed by the management server220. An organizational group 223 can correspond to a structure orhierarchy of a business or enterprise, such as an engineering team,accounting team, or marketing team. In other examples, the organizationgroup 223 can correspond to devices 110 located in a particulargeographic area, such as office space, a public waiting room, a user's120 home, or even particular floors, rooms, or portions of an office orhome.

The management server 220 can also include compliance rules 224. Acompliance rule 224 can set forth one or more conditions that must besatisfied in order for a user device 110 to be deemed compliant. Ifcompliance is broken, the management server 220 can take steps tocontrol access of the user device to enterprise files, applications, andemail. Compliance rules 224 can be assigned differently to the differentorganizational groups 223. In addition, compliance rules 224 can beassigned differently to different devices assigned to the same user 120.Compliance rules 224 can provide access to enterprise files to the userdevice 110 based on the user's organization group 223 or other criteria.Meanwhile, compliance rules 224 can cause the user device 110 to bewiped if it leaves a geographic area, is jailbroken, or if themanagement agent 132 is removed or disabled.

In some examples, a compliance rule 224 can specify one or moretriggering conditions. If a triggering condition occurs, the system canreact accordingly. For example, the management server 220 canautomatically perform one or more remedial actions. In another example,the management server 220 can prompt an administrator to take one ormore remedial actions. In some cases, remedial actions can be staged,such that the user 120 of a user device 110 is provided with a chance toremedy their noncompliance before being subjected to stricter remedialactions.

A management policy 225 can specify that a user device 110 haspermission to perform or access certain functionality. For example, theuser device 110 can be restricted to certain enterprise repositories andfunctions within applications. A management policy 225 can also specifythat a user device 110 has permission according to its organizationgroup 223. Organizational groups 223 can change over time, but becausethe management policy 225 can be associated with the organizationalgroup 223, the management policy 225 can automatically adjust a userdevice's 110 permission as soon as the device 110 joins or leaves anorganizational group 223.

As mentioned above, the user device 110 can include managed applications134 and unmanaged applications 136. Managed applications 134 can becontrolled by the management server 220 and management agent 132 on theuser device 110. For example, an administrator can set, at themanagement server 220, restrictions or requirements for using a managedapplication 134. Those restrictions or requirements can be enforced atthe user device 110 by the management agent 132 on the device 110.

Unmanaged applications 136 can include third-party applications orapplications that are not subject to direct control by the managementserver 220. In some examples, an unmanaged application 136 (such as anemail application for accessing a cloud-based OFFICE 365 service) isused to access the cloud service 230. In those examples, the managementserver 220 may not include an application programming interface (“API”)required to transmit profiles or otherwise exercise full control overthe unmanaged application 136 or associated cloud service 230. Thesystem depicted in FIG. 4 can be used to overcome these hurdles andprovide an adequate level of control over access to the cloud service230.

The system of FIG. 4 also includes an identity management service 240.The identity management service 240 can include one or more identitymanagement servers, which can be a part of, or separate from, themanagement server 220. The identity management service 240 can beconfigured to work with the cloud service 230, such that the identitymanagement service 240 authenticates a requesting user 120 or userdevice 110. The identity management service 240 can authenticate a user120 or user device 110 by, for example, using a SAML token andassociating it with a profile.

In one example, a cloud-based email server 230 can be configured toselect an appropriate identity management service 240 for authenticationbased on the domain of email address requesting access. For example, ifthe user's email address is jdoe@vmware.com, the cloud service 230 canidentify a specific identity management service 240 associated with the“vmware.com” domain. The authentication request can therefore be routedto the correct identity management infrastructure.

The identity management service 240 can receive the authenticationrequest from the cloud service 230 and, using the email address, look upthe user 120 in a database or lookup table associated with the “vmware”domain. In some examples, the look up is performed by contacting themanagement server 220 or other database associated with the domain.Based on this look up, the identity management service 240 can determinewhether the user 120 is associated with any user devices 110 enrolledwith the management server 220. If a user device 110 is enrolled andcompliant, the identity management service 240 can issue anauthentication token to the enrolled user device 110.

The user 120 can receive the authentication token through the managementagent 132 or an application-management service such as WORKSPACE ONE.The user 120 can be required to authenticate the authentication tokenby, for example, providing a username and password combination orconfirming that a particular third-party application was used to requestaccess to the to the cloud service 230.

In another example, the authentication token can be issued by themanagement server 220. This allows the management server 220 to performthe determination as to whether a device 110 should be allowed access tothe cloud service 230. For example, the management server 220 canconfirm that the user device 110 is compliant with any applicablecompliance rules 225, management policies 223, or other restrictions.When a user device 110 is not compliant, the management server 220 canwithhold the authentication credential or send a “block” command to thecloud service 230, instructing the cloud service 230 to block access forthe user device 110.

Alternatively, if the management server 220 determines that accessshould be granted, it can send the authentication credential to the userdevice 110 and send an “allow” command to the cloud service 230. The“allow” command can instruct the cloud service 230 to provide access tothe user device 110 based on receiving the authentication credentialfrom the user device 110.

Once an authentication token has been authenticated, the managementserver 220 can grant the user device 110 access to the cloud service bysending an appropriate command to the cloud service 230. The managementserver 220 can also update one or more lookup tables indicating that theuser device 110 and the particular application used for the request areauthorized for future requests. At that point, a user 120 need onlyenter a password when prompted by the relevant application in order togain access to the cloud service 230. The cloud service 230 will be ableto access the lookup table—either directly or by contacting the identitymanagement service 240—to confirm that the user device 110 andapplication are authorized for access.

Even after an authentication token has been issued to a user device 110,the management server 220 can revoke access to the cloud service 230 ifthe user device 110 falls out of compliance with the compliance rules225 or management policies 223 set at the management server 220. Forexample, if the management agent 132 is deleted from the user device110, the management server 220 can determine that the device 110 is outof compliance with one or more compliance rules 225. In response, themanagement server 220 can send a “block” command to the cloud service230, instructing the cloud service 230 to block access for the userdevice 110.

FIG. 5 provides a flowchart of an exemplary method for controllingaccess to a cloud service 230, such as a cloud-based email service.Stage 410 of the method can include enrollment of the user device 110with a management server 220. Enrollment can be done as part of anoverall EMM or MDM system. Enrollment can include installing amanagement agent 132 on the user device 110 to assist with monitoringand enforcing certain requirements at the user device 110. Enrollment atstage 410 can be performed any time prior to performing the remainingstages of FIG. 5. Alternatively, the cloud service 230 can be an emailserver that is not based on the cloud, such as an enterprise emailserver. A service in the cloud is only one example.

At stage 420, the user device 110 can request access to the cloudservice 230. For example, the user device 110 can open an unmanagedapplication 136 associated with the cloud service 230, such as aMICROSOFT OUTLOOK application, which then sends a request to a MICROSOFTcloud service 230 as part of an initial setup. In another example, therequest for access is provided when the user 120 is configuring settingsfor the cloud service 230, such as by inputting email-server informationinto an email application. In some examples, the user device 110 canmake the request for access without the user 120 taking any actions,such as when the application contacts the cloud service 230 as a resultof a background process.

The cloud service 230 can be configured to perform certain actions. Forexample, an administrator of an EMM or MDM system can configure thecloud service 230 such that it forwards access requests from unknowndevices to an identity management service 240 at stage 430. The cloudservice 230 can be configured to select an appropriate identitymanagement service 240 for authentication based on the domain of emailaddress requesting access. For example, if the user's email address isjdoe@vmware.com, the cloud service 230 can identify a specific identitymanagement service 240 associated with the “vmware.com” domain. Theauthentication request can therefore be routed to the correct identitymanagement infrastructure

The identity management service 240 can perform various tasks forauthenticating the requesting user device 110. In some examples, theidentity management service 240 can access information provided at, orby, the management server 220, and determine that the requesting userdevice 110 is authorized to access the cloud service 230. In that case,the identity management service 240 can skip to stage 460 and approveaccess directly.

In another example, and as shown at stage 440, the identity managementservice 240 can identify a management server 220 at which the userdevice 110 is enrolled and request authorization from the managementserver 220. The management server 220 can then perform thedetermination, at stage 450, as to whether the user device 110 should beallowed access to the cloud service 230. For example, the managementserver 220 can confirm that the user device 110 is compliant with anyapplicable compliance rules 225, management policies 223, or otherrestrictions.

After determining that the user device 110 should be allowed access tothe cloud service 230, the management server 220 can issue anauthentication token at stage 455. The user 120 can receive theauthentication token through the management agent 132 or anapplication-management service such as WORKSPACE ONE. The user 120 canbe required to authenticate the authentication token by, for example,providing a username and password combination or confirming that aparticular third-party application was used to request access to the tothe cloud service 230.

When a user device 110 is not compliant, the management server 220 canwithhold the authentication credential or send a “block” command to thecloud service 230, instructing the cloud service 230 to block access forthe user device 110. Alternatively, if the management server 220determines that access should be granted, it can send the authenticationcredential to the user device 110 and send an “allow” command to thecloud service 230. The “allow” command can be sent to the cloud service230 at stage 460, as shown in FIG. 5. The management server 220 can alsoupdate one or more lookup tables indicating that the user device 110 andthe particular application used for the request are authorized forfuture requests.

At stage 465, the user device 110 is prompted for a password to accessthe cloud service 230. The password can be the user's 120 email passwordfor the cloud service 230, a password associated with the managementserver 220 or EMM system, or another password. Finally, at stage 470,the cloud service 230 can allow access to the user device 110 such thatinformation can pass back and forth between the cloud service 230 anduser device 110 as needed.

FIG. 6 provides a flowchart of an example method for controlling accessto an email server. Stage 610 of the method can include receiving, at anidentity management server 240, a communication from an email server140. The communication can include information regarding a request foraccess to the email server 140 from a user device 110. For example, theidentity management server 240 can receive a communication from acloud-based email server that selects the identity management server 240based on a domain associated with the email address of a requesting userdevice 110.

Stage 620 can include sending, from the identity management server 240to a management server 220 at which the user device 110 is enrolled, arequest for authorization to access the email server 140. The identitymanagement server 240 can look up the appropriate management server 220at a database associated with the domain of the requesting email addressand forward the request to the management server 220.

Stage 630 can include determining, at the management server 220, whetherthe user device 110 is authorized to access the email server 140. Forexample, the management server 220 can confirm that the user device 110is compliant with the applicable compliance rules 225, managementpolicies 223, or other restrictions. When a user device 110 is notcompliant, the management server 220 can withhold the authenticationcredential or send a “block” command to the cloud service 230,instructing the cloud service 230 to block access for the user device110. Alternatively, if the management server 220 determines that accessshould be granted, it can send the authentication credential to the userdevice 110 and send an “allow” command to the cloud service 230 at stage640. The “allow” command can instruct the cloud service 230 to provideaccess to the user device 110 based on receiving the authenticationcredential from the user device 110.

Although the embodiments associated with FIGS. 1-6 are generallydirected toward examples where either the user's identity is unknown orthe requesting application is unknown, additional embodiments arecontemplated where both the user's identity and the requestingapplication are unknown at the time of the initial request for access.In that example, a level of trust can be formed for an unknown deviceusing an unknown application.

For example, referencing FIG. 1, when a request is received at a gateway130 and the device identifier lookup fails (because, for example, thedevice identifier has not been added to a whitelist or other approvedlist of device identifiers), the gateway 130 can send a request to theidentity management service 240 of FIG. 4 to identify a user associatedwith the device identifier. The identity management service 240 can usethe email address to look up the user in a database or lookup tableassociated with the domain of the email address, such as “vmware.com.”Based on this lookup, the system can identify the user and any enrolleddevices associated with the user.

If one or more enrolled devices associated with the user are identified,a request for confirmation can be sent to one or more of those enrolleddevices in accordance with stages 320 and 330 of FIG. 2. Once confirmed,an authentication token can be provided to the requesting device asdescribed with respect to stage 340 of FIG. 2 and stage 455 of FIG. 5. Amanagement server can approve access to the server as described in stage460 of FIG. 5, such as by sending an “allow” command to the relevantserver or cloud service. From there, authorization can be revoked usingany of the mechanisms described in FIGS. 1-6, as appropriate.

Other examples of the disclosure will be apparent to those skilled inthe art from consideration of the specification and practice of theexamples disclosed herein. Though some of the described methods havebeen presented as a series of steps, it should be appreciated that oneor more steps can occur simultaneously, in an overlapping fashion, or ina different order. The order of steps presented are only illustrative ofthe possibilities and those steps can be executed or performed in anysuitable fashion. Moreover, the various features of the examplesdescribed here are not mutually exclusive. Rather any feature of anyexample described here can be incorporated into any other suitableexample. It is intended that the specification and examples beconsidered as exemplary only, with a true scope and spirit of thedisclosure being indicated by the following claims.

What is claimed is:
 1. A method for providing access to an email server,comprising: receiving, at an identity management server, a communicationfrom the email server, the communication including information regardinga request for access to the email server from a user device; in responseto receiving the communication from the email server at the identitymanagement server, sending, from the identity management server to amanagement server at which the user device is enrolled, a request forauthorization to access the email server; determining, at the managementserver, whether the user device is authorized to access the emailserver; and in response to the management server determining that theuser device is authorized to access the email server, instructing theidentity management server to provide an authentication token to theuser device for accessing the email server.
 2. The method of claim 1,wherein the identity management server is identified to receive thecommunication from the email server based on a domain of an emailaddress associated with the user device.
 3. The method of claim 1,further comprising updating, by the management server, a lookup table toindicate that the user device is authorized to access the email server,wherein the identity management server uses the lookup table to performa subsequent authorization of the user device.
 4. The method of claim 1,further comprising, in response to the management server determiningthat the user device is not authorized to access the email server,instructing the email server to block access for the user device.
 5. Themethod of claim 1, wherein the information regarding the request forauthorization to access the email server includes the identification ofan application used to request access to the email server, and whereindetermining whether the user device is authorized comprises determining,at the management server, whether the identified application is approvedto access the email server.
 6. The method of claim 1, whereindetermining whether the user device is authorized to access the emailserver comprises: sending an out-of-band message to the user, themessage requesting confirmation from the user regarding the request foraccess from the user device; and receiving confirmation from the user inresponse to the out-of-band message.
 7. The method of claim 1, furthercomprising instructing the email server to request the authenticationtoken from the user device, wherein access is contingent upon theauthentication token being received at the email server.
 8. Anon-transitory, computer-readable medium comprising instructions that,when executed by a processor associated with a computing device, causethe processor to perform stages for providing access to an email server,the stages comprising: receiving, at an identity management server, acommunication from the email server, the communication includinginformation regarding a request for access to the email server from auser device; in response to receiving the communication from the emailserver at the identity management server, sending, from the identitymanagement server to a management server at which the user device isenrolled, a request for authorization to access the email server;determining, at the management server, whether the user device isauthorized to access the email server; and in response to the managementserver determining that the user device is authorized to access theemail server, instructing the identity management server to provide anauthentication token to the user device for accessing the email server.9. The non-transitory, computer-readable medium of claim 8, wherein theidentity management server is identified to receive the communicationfrom the email server based on a domain of an email address associatedwith the user device.
 10. The non-transitory, computer-readable mediumof claim 8, the stages further comprising updating, by the managementserver, a lookup table to indicate that the user device is authorized toaccess the email server, wherein the identity management server uses thelookup table to perform a subsequent authorization of the user device.11. The non-transitory, computer-readable medium of claim 8, the stagesfurther comprising, in response to the management server determiningthat the user device is not authorized to access the email server,instructing the email server to block access for the user device. 12.The non-transitory, computer-readable medium of claim 8, wherein theinformation regarding the request for authorization to access the emailserver includes the identification of an application used to requestaccess to the email server, and wherein determining whether the userdevice is authorized comprises determining, at the management server,whether the identified application is approved to access the emailserver.
 13. The non-transitory, computer-readable medium of claim 8,wherein determining whether the user device is authorized to access theemail server comprises: sending an out-of-band message to the user, themessage requesting confirmation from the user regarding the request foraccess from the user device; and receiving confirmation from the user inresponse to the out-of-band message.
 14. The non-transitory,computer-readable medium of claim 8, the stages-further comprisinginstructing the email server to request the authentication token fromthe user device, wherein access is contingent upon the authenticationtoken being received at the email server.
 15. A system for providingaccess to an email server, comprising: an identity management server;and a management server at which a user device is enrolled, wherein:receiving, at an identity management server, a communication from theemail server, the communication including information regarding arequest for access to the email server from a user device; in responseto receiving the communication from the email server at the identitymanagement server, sending, from the identity management server to amanagement server at which the user device is enrolled, a request forauthorization to access the email server; determining, at the managementserver, whether the user device is authorized to access the emailserver; and in response to the management server determining that theuser device is authorized to access the email server, instructing theidentity management server to provide an authentication token to theuser device for accessing the email server.
 16. The system of claim 15,wherein the identity management server is identified to receive thecommunication from the email server based on a domain of an emailaddress associated with the user device.
 17. The system of claim 15,further comprising updating, by the management server, a lookup table toindicate that the user device is authorized to access the email server,wherein the identity management server uses the lookup table to performa subsequent authorization of the user device.
 18. The system of claim15, further comprising, in response to the management server determiningthat the user device is not authorized to access the email server,instructing the email server to block access for the user device. 19.The system of claim 15, wherein the management server determines whetherthe user device is authorized to access the email server by: sending anout-of-band message to the user, the message requesting confirmationfrom the user regarding the request for access from the user device; andreceiving confirmation from the user in response to the out-of-bandmessage.
 20. The system of claim 15, further comprising instructing theemail server to request the authentication token from the user device,wherein access is contingent upon the authentication token beingreceived at the email server.